Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 1 Aug 2004 02:02:45 +0300
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        Steve Bertrand <iaccounts@ibctech.ca>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: [OT] Firewall Rule Set not allowing access to DNS servers?
Message-ID:  <20040731230245.GB1048@gothmog.gr>
In-Reply-To: <10685.64.39.177.47.1091296278.squirrel@64.39.177.47>
References:  <MIEPLLIBMLEEABPDBIEGEECPGIAA.Barbish3@adelphia.net> <000401c47721$07faf590$6e01a8c0@sabrina> <20040731173613.GA30298@gothmog.gr> <10685.64.39.177.47.1091296278.squirrel@64.39.177.47>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 2004-07-31 13:51, Steve Bertrand <iaccounts@ibctech.ca> wrote:
> > There are many ways in which your ruleset might break.  Two of the
> > most
> > important comments I wanted to make when I first saw the posts of this
> > thread are:
> >
> > 	a) Why do you use static rule numbers?
> >
> > 	   You'd only have to use static rule numbers if your ruleset
> > 	   had more than 65536/100 = 655 rules.  This limit is
> > 	   relatively hard to hit in a SOHO installation (Small Office,
> > 	   Home Office).  If you do reach such limits, there's
> > 	   definitely something weird going on with the way your ruleset
> > 	   is written ;-)
> >
>
> Giorgos, I am interested in where I can get more information about
> this. Are you suggesting that IPFW reads the ruleset and formulates a
> rule number according to position in the script? (I always use custom
> scripts).

The description of `rule number' in the ipfw(8) manpage explains the way
ipfw chooses rule numbers automatically:

    rule_number
        Each rule is associated with a rule_number in the range
        1..65535, with the latter reserved for the default rule.
        [...]
        If a rule is entered without specifying a number, the kernel
        will assign one in such a way that the rule becomes the last
        one before the default rule.  Automatic rule numbers are
        assigned by incrementing the last non-default rule number by
        the value of the sysctl variable net.inet.ip.fw.autoinc_step
        which defaults to 100.

This means that the largest number of rules you can add with unique
numbers is 65534.  The 65535 rule is the default firewall rule, either
a deny rule or an allow if the kernel was compiled with the option
IPFIREWALL_DEFAULT_TO_ACCEPT enabled.

The autoincrement step is the number that is automatically added to
rule numbers when you don't specify one.  For example, note the
numbers that get assigned to the rules below:

    root@gothmog[01:49]/root# kldload ipfw
    root@gothmog[01:49]/root# ipfw -q flush
    root@gothmog[01:49]/root# ipfw add pass ip from 127.0.0.1 to 127.0.0.1 via lo0
    00100 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
    root@gothmog[01:49]/root# ipfw add deny ip from 127.0.0.1 to any
    00200 deny ip from 127.0.0.1 to any
    root@gothmog[01:49]/root# ipfw add deny ip from any to 127.0.0.1
    00300 deny ip from any to 127.0.0.1
    root@gothmog[01:49]/root# ipfw show
    00100 0 0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
    00200 0 0 deny ip from 127.0.0.1 to any
    00300 0 0 deny ip from any to 127.0.0.1
    65535 0 0 deny ip from any to any
    root@gothmog[01:49]/root# ipfw -q flush
    root@gothmog[01:49]/root# kldunload ipfw
    root@gothmog[01:49]/root#

> If this is true, how does this ``dynamic'' feature get affected when
> one houses multiple rule _sets_?

If you have multiple sets of rules that you load at random times, and
the rulesets do not explicitly specify a starting rule number they'll
be ``stacked on top of each other'' as shown below:

    root@gothmog[01:56]/root# ls -l ruleset*
    -rw-r--r--  1 root  wheel  - 117 Aug  1 01:54 ruleset-lo0
    -rw-r--r--  1 root  wheel  -  61 Aug  1 01:55 ruleset-misc
    -rw-r--r--  1 root  wheel  - 161 Aug  1 01:56 ruleset-tcp
    root@gothmog[01:56]/root# cat ruleset-lo0
    add allow ip from 127.0.0.1 to 127.0.0.1 via lo0
    add deny ip from 127.0.0.1 to any
    add deny ip from any to 127.0.0.1
    root@gothmog[01:56]/root# cat ruleset-misc
    add allow udp from any to any
    add allow icmp from any to any
    root@gothmog[01:56]/root# cat ruleset-tcp
    add check-state
    add deny tcp from any to any established
    add allow tcp from any to any out setup keep-state
    add allow tcp from any to any 22 in setup keep-state
    root@gothmog[01:56]/root# kldload ipfw
    root@gothmog[01:57]/root# ipfw -q flush
    root@gothmog[01:57]/root# ipfw show
    65535 0 0 deny ip from any to any
    root@gothmog[01:57]/root# ipfw /root/ruleset-lo0
    00100 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
    00200 deny ip from 127.0.0.1 to any
    00300 deny ip from any to 127.0.0.1
    root@gothmog[01:57]/root# ipfw /root/ruleset-misc
*   00400 allow udp from any to any
    00500 allow icmp from any to any
    root@gothmog[01:57]/root# ipfw /root/ruleset-tcp
*   00600 check-state
    00700 deny tcp from any to any established
    00800 allow tcp from any to any out setup keep-state
    00900 allow tcp from any to any dst-port 22 in setup keep-state
    root@gothmog[01:57]/root# ipfw show
    00100 0 0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
    00200 0 0 deny ip from 127.0.0.1 to any
    00300 0 0 deny ip from any to 127.0.0.1
    00400 0 0 allow udp from any to any
    00500 0 0 allow icmp from any to any
    00600 0 0 check-state
    00700 0 0 deny tcp from any to any established
    00800 0 0 allow tcp from any to any out setup keep-state
    00900 0 0 allow tcp from any to any dst-port 22 in setup keep-state
    65535 0 0 deny ip from any to any

Note at the two lines marked with `*' and at the `ipfw show' output
how each set of rules gets attached to the end of the previous ruleset
by starting to number the rules with a number higher (by 100) than the
last rule of the previous ruleset.

If you load the rulesets in a different order, the numbers still
increase by 100 but come in a different order to match the order the
sets were loaded:

    root@gothmog[01:57]/root# ipfw -q flush
    root@gothmog[01:57]/root# ipfw /root/ruleset-lo0
    00100 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
    00200 deny ip from 127.0.0.1 to any
    00300 deny ip from any to 127.0.0.1
    root@gothmog[01:57]/root# ipfw /root/ruleset-tcp
*   00400 check-state
    00500 deny tcp from any to any established
    00600 allow tcp from any to any out setup keep-state
    00700 allow tcp from any to any dst-port 22 in setup keep-state
    root@gothmog[01:57]/root# ipfw /root/ruleset-misc
*   00800 allow udp from any to any
    00900 allow icmp from any to any
    root@gothmog[01:57]/root# ipfw show
    00100 0 0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
    00200 0 0 deny ip from 127.0.0.1 to any
    00300 0 0 deny ip from any to 127.0.0.1
    00400 0 0 check-state
    00500 0 0 deny tcp from any to any established
    00600 0 0 allow tcp from any to any out setup keep-state
    00700 0 0 allow tcp from any to any dst-port 22 in setup keep-state
    00800 0 0 allow udp from any to any
    00900 0 0 allow icmp from any to any
    65535 0 0 deny ip from any to any

> Can you please provide any links to information that I can gain
> valuable information on this? This would certainly make ruleset
> creation much easier ;o)
>
> Also, links to any information on how/what/why on the 16b/100 limit on
> the dynamic rules, so I (we) can learn more about this?

I'm not sure I understand this question :-/

Cheers

- Giorgos

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040731230245.GB1048>